[JDEV] PGP / Public Key retrieval

Bernd Eckenfels lists at lina.inka.de
Wed Oct 11 17:41:56 CDT 2000

On Tue, Oct 10, 2000 at 11:43:49AM -0400, Peter Millard wrote:
> This is the entire reason that key servers exist...

No, thats wrong. Anyone can upload any key to any PGP Keyserver. They are
not at all trusted. PGP Keyservers are only there to enable automatic
retreiving of keys without having to support multiple access modes or
attaching the key to every message. It is also good for users who dont have
an online accesable storage to publish the keys. 

> The Public key servers are "trusted authorities" so that we both trust the
> server, thus, we can "safely" exchange public keys with it.

No you cannot. The only way to trust a Key from a Key server is to check its
signatures. Just as you would do with Disks, mailed keys, fingered keys or
printed keys.

> IMO, the ONLY way that a Jabber client should fetch keys is by doing it
> through an existing public key server.. or force the user to use the PGP/GPG
> key utilities to find the key first, and just use the existing key ring.

Yes, but both is not secure. You need to calculate the trust metric and
display it.


  (OO)      -- Bernd_Eckenfels at Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes at irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

More information about the JDev mailing list